Jonathan Underwood wrote: > On 26/05/07, Andrew Suffield <[EMAIL PROTECTED]> wrote: > >> tcpdump -w just saves the traffic to a file. Saving the wireshark >> capture does exactly the same thing, it's just easier to install >> tcpdump; either way will work fine. Posting the captures so we can >> look at it is probably the only thing left to do at this point, given >> how bizarre this problem is. >> >> Remember - it's important to get a capture of the *same* session from >> all the interesting points (at least the server, client, and both >> interfaces of the firewall). >> > > OK, I'll need a bit of time to do this... > >> We'll also need the output of 'shorewall dump' (I don't think you >> posted that yet). Follow #3 on http://shorewall.net/support.htm >> > > But this bit I have just done. I restarted shorewall with rate > limiting in the ssh rule, on the server, and on my local machine tried > to scp a file from the server to local machine, which stalled. While > it was stalled (i.e. I didn't ctrl-c out) i did a dump, the result of > which is attached. > > I'll work on getting useful tcpdump/wireshark output from the server.
A couple of things.
a) You are using the RATE LIMIT column of the rules file to limit SSH.
That is *not* recommended. Rather, we prefer the 'Limit' built-in
action. The former limits the total number of connections from all
sources while the latter is per-IP. So your observation that there was
nothing in /proc/.../ipt_recent is correct; with your ruleset, there
will *never* be anything there.
b) You are getting a lot of INVALID state packets. You might try adding
this to your /etc/shorewall/init file:
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
